AWS Security Fundamentals

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
AWS Security Fundamentals
Fatima Ahmed
Technical Account Manager

Welcome!

Making life easier
• Choosing security does not mean giving up on
convenience or introducing complexity

Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded

Strengthen your security posture
Get native functionality and tools
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned
from 1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations

Why is Security Traditionally Hard?
Lack of visibility Low degree of automation

New Tools in Your Toolbox – Security Controls
• Directive
• Preventive
• Detective
• Responsive

Security Controls
• Responsive Controls
• Directive Controls
• Preventive Controls
• Detective Controls

Understand AWS Security Practice

Prescriptive Approach
Understand
AWS
Security
Practice
Build Strong
Compliance
Foundations
Integrate Identity
& Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
https://aws.amazon.com/security/security-resources

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

Build Strong Compliance
Foundations

AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Controls
• Scope of responsibility depends on the type of service offered by AWS: Infrastructure,
Container, Abstracted Services
• Understanding who is responsible for what is critical to ensuring your AWS data and systems
are secure!

Broad Accreditations & Certifications
https://aws.amazon.com/compliance/dod/

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability
Zones Edge
Locations
Your own
accreditation
Meet your own security objectives
Your own
certifications
Your own
external audits
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS consistent
baseline controls
Your ControlsAWS
https://d0.awsstatic.com/whitepapers/compliance/AWS_DOD_CSM_Reference_Architecture.pdf

Directive Controls
Establish the governance, risk, and compliance models the environment will
operate

Account Governance & Ownership
AWS
Organizations
AWS
IAM
Centrally manage multiple accounts to help you scale.
• control which AWS services are available to individual accounts
• automate new account creation
• easily manage security and automation settings
Securely control access to AWS services and resources for
your users.

AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies

Account Governance – New Accounts
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Baseline Requirements
Actions &
Conditions
Map
Enterprise
Roles

Preventive Controls
Protect your workloads and mitigate threats and vulnerabilities

Infrastructure Protection
Amazon
VPC
AWS
CloudFormation
AWS
OpsWorks
security
group
AWS WAF
AWS
Shield
Virtual firewall that
controls the traffic for
one or more resources.
Easily create and
manage a collection of
related AWS resources,
provisioning and
updating them in an
orderly and predictable
fashion
Automate how servers
are configured,
deployed, and
managed.
Provision a logically isolated
section of AWS cloud where you
can launch AWS resources in a
virtual network that you define.
DDoS protection service that
safeguards web applications
running on AWS
Protect your web applications
from common web exploits that
could affect
application availability,
compromise security, or consume
excessive resources
R e s o u r c e s N e t w o r k

VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud

DDoS protections built into AWS
• Protection against most common
infrastructure attacks
• SYN/ACK Floods, UDP Floods, Refection
attacks etc.
• No additional cost
DDoS mitigation
systems
DDoS Attack
Users

Advanced DDoS protection
Layer 7
application
protection
Layer 3/4
infrastructure
protection

Layer 3/4 infrastructure protection
• Advanced mitigation techniques
Deterministic
filtering
Traffic prioritization
based on scoring
Advanced routing
policies

AWS WAF – Layer 7 application protection
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning

AWS Shield Standard
• Free of Cost
• Network Flow monitoring
• Quick Detection
• Inline Attack Mitigation
• DDoS protection best practices/architecture review
• Instant rule updates using Web Application Firewall (WAF)
Protection against most common DDoS attacks, and access to tools and best
practices to build a DDoS resilient architecture.

AWS Shield Advanced
• Application Traffic monitoring
• Additional DDoS mitigation capacity for large attacks
• Layer 3 / Layer 4 attack notification
• Layer 3 / Layer 4 / Layer 7 attack historical report
• Custom mitigations during attacks
• Post attack analysis
• DRT-driven application layer (Layer 7) mitigations
• Currently available to only Business and Enterprise Support customers
Additional protection against larger and more sophisticated attacks, visibility into
attacks, and 24X7 access to DDoS experts for complex cases.

Data Protection
• Deep integration
with AWS Services
• CloudTrail
• AWS SDK for
application
encryption
AWS KMSAmazon CloudHSM
• Dedicated HSM
• Integrate with on-
premises HSMs
• Hybrid Architectures
AWS Certificate Manager
• Provision, manage,
and deploy TLS
certificates
• Use with Amazon ELB
or Amazon CloudFront
distribution

Authenticating AWS to you and protecting
confidentiality using TLS
• TLS can be used with every AWS API to protect data upload/download and
configuration change
• You can provide your own certificates to be presented to your customers
when using:
• Elastic Load Balancing
• Amazon CloudFront (content distribution network)

AWS Certificate Manager (ACM)
• Provision trusted SSL/TLS certificates from AWS for use with AWS
resources:
– Elastic Load Balancing
– Amazon CloudFront distributions
• AWS handles the muck
– Key pair and CSR generation
– Managed renewal and deployment
• Domain validation (DV) through email
• Available through AWS Management Console, AWS Command
Line Interface (AWS CLI), or API

Options for using encryption in AWS
Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift,
WorkSpaces, Amazon Kinesis Firehose, CloudTrail

AWS Key Management Service
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Managed service to securely create, control, rotate, and use
encryption keys.

AWS CloudHSM
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
Help meet compliance requirements for data security by using a dedicated Hardware
Security Module appliance with AWS.
• Dedicated, single-tenant hardware device
• Can be deployed as HA and load balanced
• Customer use cases:
• Oracle TDE
• MS SQL Server TDE
• Setup SSL connections
• Digital Rights Management (DRM)
• Document Signing

CloudHSM
• Dedicated access to one or more HSM
devices that comply with government
standards (for example, FIPS 140-2,
Common Criteria)
• You control all access to your keys and
the application software that uses them
• Supported applications:
– Your custom software
– Third-party software
– AWS services: Amazon Redshift, RDS for Oracle
Comparing CloudHSM with KMS
KMS
• Highly available and durable key storage,
management, and auditable service
• Allows you to import keys
• Easily encrypt your data across AWS
services and within your own applications
based on policies you define
• Supported applications:
– Your custom software built with AWS SDKs/CLI
– AWS services (S3, EBS, RDS, Amazon Aurora,
Amazon Redshift, WorkMail, WorkSpaces,
CloudTrail, Elastic Transcoder)

Ubiquitous encryption
EBS
RDS
Amazon
Redshift
S3
Amazon
Glacier
Encrypted in transit
AWS CloudTrail
IAM
Fully auditable
Restricted access
and at rest
Fully managed
keys in KMS
Imported
keys
Your KMI

Break

Database security with Amazon RDS

Database security
Commercial solutions through Amazon RDS:
Amazon
DynamoDB
Amazon
Redshift
Amazon
Aurora
AWS Database
Migration Service
Amazon database solutions:

AWS database services and encryption at rest
Server-side encryption with KMS
RDS MySQL
RDS PostgreSQL
RDS SQL Server
RDS Oracle
RDS MariaDB
Amazon Aurora
Amazon Redshift
Server-side encryption with CloudHSM
Amazon Redshift
RDS Oracle TDE
Microsoft SQL TDE
Client-side encryption for
row/column/field-level protection
DynamoDB encryption client
Build your own with AWS SDK
third-party solutions

AWS data platforms - IAM and CloudTrail
• API permissions
• Enforce separation of duties
• Resource-based permissions
• Use tags by environment
• Integrated with CloudTrail
• Alert on key management activities

Preventive Controls
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
Allows the AWS account (root user)
111122223333 full access to the CMK, and
thus enables IAM policies in the account to
allow access to the CMK.
Allows IAM user KMSAdminUser and IAM
role KMSAdminRole to administer the CMK.
Allows IAM user KMSUser, IAM role
KMSRole, and AWS account 444455556666
to use the CMK.

Track, detect, and take action
Tracking
• AWS Config rules
• Amazon CloudWatch Events
• AWS CloudTrail
• Amazon Inspector
Coordination
• Amazon SWF
• AWS CodePipeline
Execution
• AWS Lambda
Securing
• MFA
• IAM policies
Track/log
• Amazon CloudWatch Logs
• Amazon DynamoDB
Alert
• Amazon SNS
…

• You have options to implement data controls that meet your business needs
• Take advantage of managed services, and let us do the heavy lifting
• Protect your data but also track, detect, and take action on changes and events

Detective Controls
Full visibility and transparency over the operation of your deployments in
AWS

VISIBILITY
AWS
CloudTrail
AWS
Config
Amazon
CloudWatch
Amazon
Inspector
Flow
logs
Web service that records
AWS API calls for your
account and delivers log
files to you.
Monitoring service for
AWS cloud resources and
the applications you run
on AWS.
- collect and track
metrics
- collect and monitor log
files
- set alarms
- automatically react to
changes in your AWS
resources
Resource inventory,
configuration history,
and configuration
change notifications to
enable security and
governance
Automatically assesses
applications for
vulnerabilities or
deviations from best
practices
Capture information about the IP
traffic going to and from network
interfaces in your VPC.
Account Resources Network

Stream of
configuration items
for all changes
Collection of
configuration items
for all resources
Configuration items
can be viewed as a
history
record configuration
changes
AWS Config

AWS Config

VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject

VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions

VPC Flow Logs – CloudWatch Alarms

Responsive Controls
Drive remediation of potential deviations from your security baselines

AUDITABILITY
AWS
Config
rule
AWS Trusted Advisor
Config Rules enables you to create rules that automatically
check the configuration of AWS resources recorded by AWS
Config.
Trusted Advisor provides real time
guidance to help you provision your
resources following AWS best
practices.
- reduce cost
- increase performance
- improve security

AWS Config & Config Rules
AWS
Config
Amazon
Config Rules
ü Record configuration changes
continuously
ü Time-series view of resource changes
ü Archive & Compare
ü Enforce best practices
ü Automatically roll-back unwanted
changes
ü Trigger additional workflow

Core Checks and Recommendations
Access to the six core Trusted Advisor checks to help increase the security and
performance of your environment.
Checks include:
Security: Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root
Account, EBS Public Snapshots, RDS Public Snapshots
Performance: Service Limits
Available to all AWScustomers

Available with Business or Enterprise support plans
Core Checks and Recommendations
Access to the full set of Trusted Advisor checks to help optimize your entire AWS
infrastructure.
Additional benefits include:
Notifications: Stay up-to-date with your AWS resource deployment with weekly
updates.
Programmatic access: Retrieve and refresh Trusted Advisor results
programmatically using AWS Support API.

AWS Config Rules – Enforce Volume Encryption

AWS Config Rules – Evaluation Results

AWS Artifact
• Audit and compliance portal for on-demand access to download AWS’ compliance reports and
manage select agreements for ISO, PCI, SOC, and other regulatory standards.
• Benefits:
– Reports On-Demand
– Globally Available
– Easy Identification
– Quick Assessments
– Continuous Monitoring
– Enhanced Transparency

Evolving the Practice of Security Architecture
• Security architecture as a separate function can no longer exist
• Static position papers,
architecture diagrams &
documents
• UI-dependent consoles
and technologies
• Auditing, assurance,
and compliance are
decoupled, separate
processes
Current Security
Architecture
Practice

Evolving the Practice of Security Architecture
• Security architecture can now be part of the ‘maker’ team
• Architecture artifacts
(design choices,
narrative, etc.)
committed to common
repositories
• Complete solutions
account for automation
• Solution architectures
are living
audit/compliance
artifacts and evidence
in a closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline Jenkins

AWS CloudFormation – Infrastructure as Code
Template StackAWS
CloudFormation
• Orchestrate changes across AWS
Services
• Use as foundation to Service Catalog
products
• Use with source code repositories to
manage infrastructure changes
• JSON-based text file describing
infrastructure
• Resources created
from a template
• Can be updated
• Updates can be
restricted

Change Sets – Create Change Set

Change Sets

AWS Marketplace Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection

Security is a service team, not a blocker
Security is everyone's job
Allow flexibility and freedom
but control the flow and result.

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

AWS Security Fundamentals

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a AWS Security Fundamentals

Similar a AWS Security Fundamentals (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

AWS Security Fundamentals